---
title: SystemPolicyRule
framework: devicemanagement
role: symbol
role_heading: Device Management Profile
path: devicemanagement/systempolicyrule
---

# SystemPolicyRule

The payload that configures the system policy.

## Declaration

```data
object SystemPolicyRule
```

## Properties

Comment: This string appears in the System Policy UI. If it’s missing, PayloadDisplayName or PayloadDescription is entered into this field before the rule is added to the System Policy database. Expiration: The expiration date for rules being processed. LeafCertificate: The single leaf certificate for the app that is in the allow list. OperationType: The type of operation. Priority: The rule’s priority. Requirement: The policy requirement. This key must follow the syntax described in Code Signing Requirement Language.

## Discussion

Discussion Specify com.apple.systempolicy.rule as the payload type. This payload allows control over Gatekeeper’s system policy rules. The keys and functionality are tightly related to the spctl command line tool. For more information, see the manual page for spctl. This payload can only exist in a device profile. If the payload is present in a user profile, an error occurs during installation and the profile installation fails. Profile availability  |   |   |   |   |   |   |   |  Profile example <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>     <key>PayloadContent</key>     <array>         <dict>             <key>Priority</key>             <real>101</real>             <key>Requirement</key>             <string>anchor apple generic and identifier "com.example.myapp" and (certificate leaf[field.9.8.765.432109.876.5.4.3] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.9.8.765.432109.876.5.4.3] /* exists */ and certificate leaf[subject.OU] = "ABCDE12345")</string>             <key>PayloadIdentifier</key>             <string>com.example.mysystempolicyrulepayload</string>             <key>PayloadType</key>             <string>com.apple.systempolicy.rule</string>             <key>PayloadUUID</key>             <string>624b5152-a1cd-4bac-baa3-51fbb1f04973</string>             <key>PayloadVersion</key>             <integer>1</integer>         </dict>     </array>     <key>PayloadDisplayName</key>     <string>System Policy Rule</string>     <key>PayloadIdentifier</key>     <string>com.example.myprofile</string>     <key>PayloadType</key>     <string>Configuration</string>     <key>PayloadUUID</key>     <string>7fa54f02-e6e1-4042-bb75-a2a4d962ac6d</string>     <key>PayloadVersion</key>     <integer>1</integer> </dict> </plist>

## See Also

### System policy

- [SystemPolicyControl](devicemanagement/systempolicycontrol.md)
- [SystemPolicyKernelExtensions](devicemanagement/systempolicykernelextensions.md)
- [SystemPolicyManaged](devicemanagement/systempolicymanaged.md)